The EU’s General Data Protection Regulation (GDPR) has defined two new roles when it comes to data protection and compliance: data controllers and data protectors. There is a significant difference between the two.
A data controller is defined as a person, agency, body, or group which determines how data is processed. Meanwhile, a data processor is defined as a person, agency, body, or group which processes data on the behalf of the data controller.
For example, Company A may collect personal data from its customers or employees in the form of contact details or information about their shopping habits. Company A would be defined as a data controller. On the other hand, Company B may be a company that handles data on behalf of Company A, such as a bank that collects or processes customer payments or processes payments to Company A’s employees.
A processing action, it should be noted, can be adapting, retrieving, storing or using the data. Depending on how a company stores or uses its data (e.g. Company A may itself process customer payments or process payments to its employees itself), it may be defined as both a data controller and a data processor.
Why It’s Important That Businesses Know the Difference
The differences between a data processor and a data controller may seem slight and companies trying to figure out which one they are defined as may initially scratch their heads; that’s how close the two terms may seem at first, but it is important for businesses to know the difference for the sake of being compliant with GDPR, which is set to come into effect on May 25th, 2018. The GDPR clearly defines these two terms, as well as others, in order to make the new rules understandable and implementable by companies not only in the EU, but also all companies that collect and handle information about data subjects who are EU residents.
Depending on whether your business is a data processor or data controller (or both), you will have to take different actions in order to ensure that the data that your business comes into contact with is properly protected. For example, as a data controller, you need to make sure that personal data cannot be attributable to an identified or identifiable subject. Data controllers must also act quickly (within 72 hours) to notify the authorities of a data breach after it happens.
In a recent report, data protection expert Dr Kwan Hon suggested that potential fines for data security breaches could be far more severe for data controllers when compared to the fines issued to data processors.
Comparatively, the fines issued by the Information Commissioner’s Office (ICO) in 2016 could have been 79 times higher when compared to the fines issued under the GDPR, according to analysis by the NCC Group. While ICO could issue fines of £500,000, GDPR could issue fines of 10 million Euros or 4% of an organisation’s global turnover (whichever figure is higher).
By failing to know the difference between a data controller and a data processor, a business may fail to take the proper actions to protect the data that they come into contact with. As a result of misunderstanding the GDPR’s new definitions, businesses could also find themselves subject to a very hefty fine in the event of a data breach.
Most businesses cannot afford to (potentially) lose 4% of their turnover, in fact, for many businesses, such a fine would be devastating. It just highlights how important it is to know the difference between two very short terms of phrase.